Versions Compared

Old Version 51

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version 52

changes.mady.by.user Arnout Terpstra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When a user logs in to a service provider, SURFconext sends a so-called SAML assertion to the service provider. This SAML assertion contains a number of statements about the user who is logging in to you service, including his identity, and possibly a number of additional attributes (see below).  More information about SAML can be found on this page.In general,

Note

SURFconext's SAML2 implementation adheres to the SAML2int standard.

Contents of On this page :we will show you which attributes SURFconext and their Identity Providers have to offer.

Table of Contents

User identifiers

The user's identity is transmitted in the form of the NameId NameID element of the SAML statement.   SPs Service Providers should use the NameId NameID (rather than email address, or other attributes that might change over time) to identify users.   The NameId is guaranteed to be stable and never change for a fixed user (except in the case of transient identifiers, see below).

SURFconext can provide NameIds NameIDs of three 2 different types:

  • A persistent identifier.   A persistent NameId NameID contains a random string that uniquely identifies the user for this SP, and which persists over multiple sessions for the same user.
  • A transient identifier.   A transient NameId NameID contain a random string that uniquely identifies the user for this SP during the session.   Once the user's session at SURFconext expires and the users logs into your service once more, a new transient identifier will be generated for the user and SP.
  • A legacy identifier.  A legacy NameId contains a human-readable identifier of the form urn:collab:person:example.com:johndoe.  This form of the identifier is deprecated and is not available for newly connected services. The reason for this is that SURFconext wants to have fine-grained control over the released attributes.  This is easier to manage if no personal information is disclosed in the NameId identifier. If the SP needs information that is contained in the legacy NameId format (for example, the user's home institution), they should use proper attributes (for example, schacHomeOrganisation, see below) as a source for this information.

Persistent and transient identifiers typically have the form "bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef".  However, this form may change in the future, and service providers MUST NOT rely on the fact that the NameId is a 40-character hexadecimal string.

The two supported NameId types, for respectively persistent and transient NameId specifiers, are

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

which are specified in sections 8.3.7 and 8.3.8 of the SAML2 core specification.

By default, SURFconext offers the transient form of the NameId to services.  Service providers who have a need for persistent identifiers can negotiate use of the persistent NameId format when their service is connected to SURFconext.

Attributes

By default, the NameId is the only piece of information about the authenticated user that SURFconext conveys to SPs.  However, in many cases these services require more information about the user, such as a name or an email address. 

Because of European privacy regulations, we cannot release such information to the SPs by default.  In order to receive additional information, the user's home institution needs to give permission for each SP to receive its users' data.  Typically, such permission will be arranged for during the initial SURFconext setup procedure.

Furthermore, when a user first logs in to a service, SURFconext informs them about the attributes and the information contained therein that is going to be sent to the service.  If the user does not consent to his information being transmitted, they can still abort the login to the service. 

SURFconext supports two atttributes schemas: the urn:oid schema and the urn:mace schema. Both of these can be used to convey the same information (except for the NameId, which is only available in the  urn:oid schema. By default SURFconext will provide attributes in both schemata as part of the assertion.  It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.

Attribute overview

SURFconext supported relaying of the following attributes:

Persistent and transient identifiers typically have the form 'bd09168cf0c2e675b2def0ade6f50b7d4bb4aaef'. However, this form may change in the future.

The two supported NameID types, for respectively persistent and transient NameID specifiers, are:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Attribute schemas

SURFconext supports two atttributes schemas: the urn:oid schema and the urn:mace schema. Both of these can be used to convey the same information (except for the NameID, which is only available in the urn:oid schema. By default SURFconext will provide attributes in both schemata as part of the assertion. It is not recommended to mix the use of these schemata, but for legacy reason SURFconext offers both.

Attribute overview

SURFconext supported relaying of the following attributes:

Friendly name

Attribute name

S/M

Definition

Data type

Example

ID

(NameID)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

 

eduPerson

UTF8 string
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

 

X.520

UTF8 string
(unbounded)

Vermeegen
?

Given name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

 

X.520

UTF8 string
(unbounded)

Friendly name

Attribute name

S/M

Definition

Data type

Example

ID

(NameId)
urn:mace:dir:attribute-def:eduPersonTargetedID
urn:oid:1.3.6.1.4.1.5923.1.1.1.10

 

eduPerson

UTF8 string
(unbounded)

bd09168cf0c2e675b2def0ade6f50b7d4bb4aae

Surname

urn:mace:dir:attribute-def:sn
urn:oid:2.5.4.4

 

X.520

UTF8 string
(unbounded)

Vermeegen
?

Given name

urn:mace:dir:attribute-def:givenName
urn:oid:2.5.4.42

 

X.520

UTF8 string
(unbounded)

Mërgim Lukáš
??

Common name

urn:mace:dir:attribute-def:cn
urn:oid:2.5.4.3

 

X.520

UTF8 String
(unbounded)

Prof.dr. Mërgim Lukáš Vermeegen
? ??, PhD.

Display name

urn:mace:dir:attribute-def:displayName
urn:oid:2.16.840.1.113730.3.1.241

 

RFC2798

UTF8 String
(unbounded)

Prof.dr. Mërgim L. Vermeegen
? ??, PhD.

Email address

urn:mace:dir:attribute-def:mail
urn:oid:0.9.2342.19200300.100.1.3

 

RFC4524

RFC-5322 address
(max 256 chars)

m.l.vermeegen@university.example.org
"very.unusual.@.unusual.com"@example.com
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dcf535497f8be5b7-b9e6ac5d-4eae4927-a98a81c6-bd5d271e4ad3d920548c6047"><ac:plain-text-body><![CDATA[mlv@[IPv6:2001:db8::1234:4321]

]]></ac:plain-text-body></ac:structured-macro>

Organization

urn:mace:terena.org:attribute-def:schacHomeOrganization
urn:oid:1.3.6.1.4.1.25178.1.2.9

 

Schac

RFC-1035 domain string

university.example.org
 

Organization Type

urn:mace:terena.org:attribute-def:schacHomeOrganizationType
urn:oid:1.3.6.1.4.1.25178.1.2.10

 

Schac

RFC-2141 URN
see Schac standard

urn:mace:terena.org:schac:homeOrganizationType:int:university
urn:mace:terena.org:schac:homeOrganizationType:es:opi

Affiliation

urn:mace:dir:attribute-def:eduPersonAffiliation
urn:oid:1.3.6.1.4.1.5923.1.1.1.1

 

eduPerson

Enum type (UTF8 String)

faculty, student, staff, (alum, member, affiliate, employee, library-walk-in)

Entitlement

urn:mace:dir:attribute-def:eduPersonEntitlement
urn:oid:1.3.6.1.4.1.5923.1.1.1.7

 

eduPerson

RFC-2141 URN
Multi-valued

to be determined per service

PrincipalName

urn:mace:dir:attribute-def:eduPersonPrincipalName
urn:oid:1.3.6.1.4.1.5923.1.1.1.6

 

eduPerson

UTF8 String
user@domain

not.a@vålîd.émail.addreß
??@aninstitutionname

isMemberOf

urn:mace:dir:attribute-def:isMemberOf
urn:oid:1.3.6.1.4.1.5923.1.5.1.1

 

eduMember

RFC-2141 URN
Multi-valued

urn:collab:org:surf.nl
urn:collab:org:clarin.org

uid

urn:mace:dir:attribute-def:uid
urn:oid:0.9.2342.19200300.100.1.1

 

RFC4519

UTF8 String
(max 256 chars)

s9603145
flåp@example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguage
urn:oid:2.16.840.1.1.113730.3.1.39

  RFC4519

RFC2798
BCP47

List of BCP47 language tags

nl
nl, en-gb;q=0.8, en;q=0.7

eduPersonTargetedID

UTF8 String
(max 256 chars)

s9603145
flåp@example.edu

preferredLanguage

urn:mace:dir:attribute-def:preferredLanguageeduPersonTargetedID
urn:oid:2.16.8401.3.6.1.4.1.5923.1137301.31.1.3910

 

RFC2798eduPerson BCP47

List of BCP47 language tags

UTF8 string
(unbounded)

24d66f51ac1c0b140e617af335b9abb4b8d88a5b nl
nl, en-gb;q=0.8, en;q=0.7

Note that not all identity providers might make all attributes available.

Detailed attribute descriptions

ID

See conextdocumentation:above User identifiers.

Surname

urn:mace

urn:mace:dir:attribute-def:sn

urn:oid

urn:oid:2.5.4.4

Multiplicity

single-valued

Description

The surname of a person (including any words such as "van", "de", "von" etc.) used for personalisation; this can be a combination of existing attributes.

Notes

 

Given name

urn:mace

urn:mace:dir:attribute-def:givenName

urn:oid

urn:oid:2.5.4.42

Multiplicity

single-valued

Description

Given name / "name known by"; combinations of title, initials, and "name known by" are possible.

Notes

 

Common name

urn:mace

urn:mace:dir:attribute-def:cn

urn:oid

urn:oid:2.5.4.3

Multiplicity

multi-valued

Description

Full name.

Notes

For example, a typical name of a person in an English-speaking country comprises a personal title (e.g. Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

...

s), last name, generation qualifier (if any, e.g. Jr.) and decorations and awards (if any, e.g. CBE).

Display name

urn:mace

urn:mace:dir:attribute-def:displayName

urn:oid

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

single-valued

Description

Name as displayed in applications

Notes

  •  This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

Email address

urn:mace

urn:mace:dir:attribute-def:displayNamemail

urn:oid

urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

single-valued

Description

Name as displayed in applications

Notes

  •  This attribute can typically be changed by the end-users themselves, and is therefore not very suitable for identification.

...

0.9.2342.19200300.100.1.3

Multiplicity

multi-valued

Description

e-mail address; syntax in accordance with RFC 5322

Notes

  • Multiple email addresses are allowed
  • An email address is not necessarily the email address of this person at the institution.
  • Do not use this attribute to uniquely identify a user.  Use the NameId  instead.
  • A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

uid

urn:mace

urn:mace:dir:attribute-def:mailuid

urn:oid

urn:oid:0.9.2342.19200300.1001.3.6.1.4.1.1466.115.121.1.315

Multiplicity

multi-valued

Description

e-mail address; syntax in accordance with RFC 5322

Notes

  • Multiple email addresses are allowed
  • An email address is not necessarily the email address of this person at the institution.
  • Do not use this attribute to uniquely identify a user.  Use the NameId  instead.
  • A user's email address may change over time, or an IdP may allow a user to change this value themselves. This makes that attribute unsuitable for authentication and authorization purposes.

uid

The unique code for a person that is used as the login name within the institution.

Notes

  • The uid is not a unique identifier for SURFconext users.  Uid values are at most unique for each IdP.
  • Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use the NameId for unique identifiers in SURFconext rather than uid.
  • Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
  • A uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-characters in the uid to underscores.  Yes, this means that uids are not guaranteed to be unique.

Home organisation

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Description

The user's organisation using the organisation's domain name; syntax in accordance with RFC 1035.

Notes

  •  In the past, SURFconext used to send the home organisation in the attribute

urn:mace

urn:mace:dir:attribute-def:uid

urn:oid

  • urn:oid:1.3.6.1.4.1.1466.115.121.1.15

Multiplicity

multi-valued

Description

The unique code for a person that is used as the login name within the institution.

Notes

  • The uid is not a unique identifier for SURFconext users.  Uid values are at most unique for each IdP.
  • Ideally the uid is not only a login name/code but also an identifier that is guaranteed as being unique within the institution over the course of time. At the moment, there is no such guarantee.
  • Use the NameId for unique identifiers in SURFconext rather than uid.
  • Use the eduPersonPrincipalName attribute if a human-readable unique identifier is required
  • A uid may contain any unicode character. E.g., "org:surfnet.nl:joe von stühl" is a valid uid.
  • SURFconext translates @-characters in the uid to underscores.  Yes, this means that uids are not guaranteed to be unique.

...

  • , which was incorrect.  Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use.  For reasons of compatibility, the old (wrong) key is also still sent.  It should not be used in new implementations.

Organization type

urn:mace

urn:mace:terena.org:attribute-def:schacHomeOrganization

urn:oid

urn:oid:1.3.6.1.4.1.25178.1.2.9

Multiplicity

single-valued

Description

The user's organisation using the organisation's domain name; syntax in accordance with RFC 1035.

schacHomeOrganizationType

urn:oid

Notes

 In the past, SURFconext used to send the home organisation in the attribute

urn:oid:1.3.6.1.4.1.

1466.115.121

25178.1.

15, which was incorrect.  Since 2013, the correct oid urn:oid:1.3.6.1.4.1.25178.1.2.9 is in use.  For reasons of compatibility, the old (wrong) key is also still sent.  It should not be used in new implementations.

...

2.10

Multiplicity

single-value

Description

designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType

Notes

Affiliation

urn:mace

urn:mace:terena.orgdir:attribute-def:schacHomeOrganizationTypeeduPersonAffiliation

urn:oid

urn:oid:1.3.6.1.4.41.5923.1.251781.1.2.101

Multiplicity

single multi-value valued

Description

designation of the type of organisation as defined on http://www.terena.org/registry/terena.org/schac/homeOrganizationType

Notes

...

Indicates the relationship between the user and his home organisation.  The following values are permitted:

  • student — student
  • employee — all employees
  • staff — academic staff

Notes

Identity providers might internally use additional values for the affilication attribute, such as alum or affiliate.  Per SURFconext policy, such users are not allowed access to SURFconext.
(warning) The attribute values are case senitive!

Entitlements

urn:mace

urn:mace:dir:attribute-def:eduPersonAffiliationeduPersonEntitlement

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.17

Multiplicity

multi-valued value

Description

Indicates the relationship between the user and his home organisation.  The following values are permitted:

  • student — student
  • employee — all employees
  • staff — academic staff

Notes

Identity providers might internally use additional values for the affilication attribute, such as alum or affiliate.  Per SURFconext policy, such users are not allowed access to SURFconext.
(warning) The attribute values are case senitive!

Entitlements

entitlement; custom URI (URL or URN) that indicates an entitlement to something.

Notes

  • This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute.  See also the SURFconext entitlement namespacing policy.

Principle name

urn:mace

urn:mace:dir:attribute-def:eduPersonEntitlementeduPersonPrincipalName

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.1.1.76

Multiplicity

multi single-value valued

Description

entitlement; custom URI (URL or URN) that indicates an entitlement to something.

Notes

  • This attribute can be used to communicate entitlements, roles, etc, from identity providers to services, which can be used, for example, for authorization.
  • The values of this attribute are scoped to the identity provider that is authoritative for the attribute.  See also the SURFconext entitlement namespacing policy.

...

Unique identifier for a user.  

Notes

  • Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address".
  • Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is).
  • Do not use this to uniquely identify users.  Use the NameId instead.

isMemberOf

urn:mace

urn:mace:dir:attribute-def:eduPersonPrincipalNameisMemberOf

urn:oid

urn:oid:1.3.6.1.4.1.5923.1.5.1.1.6

Multiplicity

single multi-valued

Description

Unique identifier for a user.  

Notes

  • Although this value resembles an email address, it MUST NOT be used as an email address. In many cases mail cannot be delivered to this "address".
  • Even though this value uniquely identifies a user, it is not guaranteed that it is persistent over sessions (even though it usually is).
  • Do not use this to uniquely identify users.  Use the NameId instead.

...

Lists the collaborative organisations the user is a member of.

Notes

  • Attribute values are URIs (URN or URL)
  • Only current supported value is urn:collab:org:surf.nl, which indicated that the user's home institution is a member of SURFnet
  • In the future, this can be used to determine membership of non-institutional collaborative organisations.

Preferred Language

urn:mace

urn:mace:dir:attribute-def:isMemberOfpreferredLanguage

urn:oid

urn:oid:12.316.6840.1.4113730.13.5923.1.5.1.139

Multiplicity

multi single-valued

Description

Lists the collaborative organisations the user is a member of.

Notes

  • Attribute values are URIs (URN or URL)
  • Only current supported value is urn:collab:org:surf.nl, which indicated that the user's home institution is a member of SURFnet
  • In the future, this can be used to determine membership of non-institutional collaborative organisations.

...

a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.

Notes

Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value ":" should be omitted. 

EduPersonTargetedID

urn:mace

urn:mace:dir:attribute-def:preferredLanguageeduPersonTargetedID

urn:oid

urn:oid:2.16.8401.3.6.1.4.1.5923.1.1137301.3.1.3910

Multiplicity

single-valued

Description

Automatically generated (and overwritten) by SURFconext with a copy from Subject -> NameID

Notes

This attribute is specified because Subject -> NameID is not part of the SAML 2.0 response.

a two-letter abbreviation for the preferred language according to the ISO 639 language abbreviation code table; no subcodes.

Notes

Used to indicate an individual's preferred written or spoken language. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in RFC 2068 with one exception: ?the value ":" should be omitted.